The National Crime Agency (NCA), in the UK, has ring the alarm that online criminals are often ahead of the available security services and, by extension, of whatever security measures are implemented on site. (http://www.proactiveinvestors.com.au/pdf/create/news/details/127976)
That prompted Corero’s COO, Dave Larson to react by saying “There is a false sense of security in many organisations that if you are compliant, then you are secure, and I don’t think those two things necessarily equate.”
It is therefore important that we understand what the dangers are and how vulnerable we are. We can then decide the steps needed to satisfy our risk tolerance. That brings to mind an old “military humor” joke:
If the order “SECURE THE BUILDING” was given, then…
The MARINE CORPS would assault the building, kill everyone in it and possibly blow it up.
The ARMY would put up defensive fortifications, sand bags and barbed wire.
The NAVY would turn off the lights and lock the doors.
The AIR FORCE would take out a three-year lease with an option to buy the building.
In previous articles, we have touched on the security aspects of the Data Center (“InDCent exposure” and “Risky business” – http://dcim.tumblr.com/) but the topic is still sensitive enough to discuss it further.
When we debate the issues of cyber security, we usually see it as the realm of the IT people. They are the one dealing with viruses and hackers attacks, are they not?
There are, however, areas that are not under direct control of IT. Electromechanical equipment and building management systems (BMS), for example, belong to the Industrial Control Systems (ICS) domain and, wouldn’t you know, say that security vulnerabilities also exist there.
An interesting report came out last year from IBM that raises awareness on security attacks targeting ICS (http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEL03046USEN&attachment=SEL03046USEN.PDF). Countries like Canada and the U.S. are experiencing the brunt of these attacks by being targeted most frequently. Worldwide attacks of this type have almost doubled since 2011, when the existence of Stuxnet (https://en.wikipedia.org/wiki/Stuxnet) became widely known. You may remember that the Stuxnet worm was responsible for the sabotage of Iran’s nuclear centrifuges and was the first malware found to include programmable logic controllers (PLCs) code.
Stuxnet and other similar malware are an extremely sophisticated form of hacking that is thought of having been supported by some governments’ highest levels and it has spurred of course safety concerns. From what is known at the moment, they spread mostly through either phishing emails or contaminated USB drives, which brings up the necessity to educate users on being suspicious of mail attachments or accessing USB drives surreptitiously left behind by malicious individuals.
In addition, many enterprises used to count on “security by obscurity” to avoid attacks, but that strategy is becoming much less effective. Search engines like SHODAN (https://www.shodan.io/) are building databases on the types of devices connected to the Internet that are easily searchable, thereby shedding an unfortunate light on that sought after obscurity.
And there is no shortage of scary security reports, such as the Dell Security, Annual threat report (http://www.netthreat.co.uk/assets/assets/dell-security-annual-threat-report-2016-white-paper-197571.pdf ) where very interesting statistics are given.
It is easy to imagine that, in the future, mandatory auditing of ICS will begin to be requested more frequently, possibly stemming from organizations such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
The push for more stringent security on industrial infrastructures makes sense especially in light of some high profile attacks such as the one on the New York Dam (http://time.com/4270728/iran-cyber-attack-dam-fbi/) , on a European energy company (http://www.theregister.co.uk/2016/07/12/scada_malware/) or the one that targeted the Ukrainian power company (http://www.reuters.com/article/us-ukraine-crisis-malware-idUSKBN0UI23S20160104).
As IT professionals, we just love to connect things together, and the revolution brought about by the “Internet of Things” is definitely appealing to our senses. Nonetheless, we have to be careful. The National Institute of Standards and Technology (NIST) has published a good document giving helpful guidance in that regard: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-183.pdf.
The same IBM report mentioned earlier, also gives suggestions for the best practices to apply. Defining and Identifying your ICS resources is of course paramount. Also, establishing security roles, responsibilities and authorization levels for IT, management, administrative staff and third-party users.
Strengthening access controls, regular audits, intrusion detections, among others, are tasks that can help secure your ICS resources and, by extension, mitigate or even prevent attacks.
As providers of Datacenter Clarity LC©, we are proud of the built-in security features that support the desired best practices required by this insecure new world. The compartmentalization of security roles, for example, makes it not only more ruggedized against external hits but also ideal in a colocation environment, where third parties need some type of access but must be secured nevertheless. Since malicious and non-malicious insiders cause more than 50% of the attacks, it makes sense to have a secure framework whenever and wherever possible.
There are, unfortunately, no magic wand against security attacks; it is an on-going process. An excellent document from the U.S. Department of Homeland Security (https://ics-cert.us-cert.gov/sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20Industrial%20Control%20Systems_S508C.pdf ) suggests a few strategies to counteract cyber intrusions and we can easily realise that a holistic approach is necessary.
Monitoring, managing accesses, proper configuration/patch management, these are areas where a correctly deployed DCIM solution can help. Technology infrastructure such as data centers are increasingly complex and tools geared toward its management are sorely needed.
And to stay protected from malicious or unintentional attacks we can use all the help we can get.